A step-by-step approach to creating a Financial Intelligence Unit
By Gonzalo Sanchez, director, and Carmina Hughes, executive director, Daylight Forensic & Advisory, a New York-based anti-money laundering and fraud consultancy. Sanchez, based in the firm’s Miami office, spent 27 years in international banking before joining the firm. Hughes has served as special counsel for enforcement and special investigations at the Board of Governors of the Federal Reserve System and as an Assistant United States Attorney in Maryland.
A step-by-step approach to creating a Financial Intelligence Unit to better focus your bank’s efforts and expenses targeted at money laundering and terrorist finance
“I not only use all the brains that I have, but all that I can borrow” — Woodrow Wilson, 28th president
The financial services industry generates vast quantities of information pertaining to money laundering, terrorism financing, and fraud. Much data is not subject to adequate intelligence analysis; in other words, there’s “information waste.” That information is produced by the banks internally, as well as by the banking community and regulatory agencies. An effective “Financial Intelligence Unit” establishes protocols and procedures to make productive use of that information and to reduce waste.
Information waste produced internally by banks refers to all significant events related to high-risk products, geographies, and clients, as identified through the risk assessment process, that trigger the execution of a control, but with underlying components that are not recycled or analyzed further intelligently.
Here are examples of failures to capitalize on information:
1. Account opening. Each time an application is rejected because the prospect fails to either comply with customer identification procedures (CIP), due diligence, or enhanced due diligence (EDD) requirements, the account is likely to be rejected. However, the factors that triggered the execution of a control, such as dubious or incomplete information; failure to provide required information; or negative information found, are not analyzed to understand what type of client, business segment, geography, or type of product were related to that event.
2. Wire transfers. Each time a wire transfer triggers a positive hit against any of the sanctions lists, the transaction is blocked and reported to Treasury’s Office of Foreign Asset Control (OFAC). If the relevant aspects of that transaction, such as origin of the funds, jurisdiction of the transmitter, type of related business activity, correspondent bank involved, type of currency, etc., are not analyzed further, potentially valuable insight into an intended violation is lost.
3. Security threats. When hackers attempt to penetrate a financial institution’s network, and the activity is detected and aborted, it is often analyzed only to retrofit lessons learned into product design, rather than to gain an understanding of the business intelligence components of that event. There are important questions that should be asked: Why did the hacker choose that particular branch, product, and communication channel to attempt a penetration? Is the event related to a particular jurisdiction, geography, product, or client segment that might also be exposed to money laundering and or terrorism financing?
4. Check fraud. Every time a fraudulent check is stopped and the fraud is aborted, but the business fails to analyze the details—Why the fraudster identified choose that specific location?—an opportunity to gather important business intelligence is wasted. The good news is that a fraud was aborted; the not-so-good news is that the business failed to use the experience to help prevent future fraud.
Grab the low-hanging fruit
Those are examples of internal sources. There is also a wealth of relevant information, provided at no cost to financial institutions by regulatory agencies, that should be used to enhance an organization’s internal data collection. Below is a list of some valuable resources:
1. FinCEN. Treasury’s Financial Crimes Enforcement Network’s publications, such as the SAR Activity Review—Trends Tips and Issues, SARs By the Numbers, and Strategic Analytical Report. (SAR stands for Suspicious Activity Report.) These periodic publications focus on different aspects of the financial crimes phenomenon as gleaned from the suspicious activity reports (SARs) filed by financial institutions. For example, the May 2009 SAR Activity Review focused on the securities and futures industry; the Strategic Analytical Report issue of February 2009 focused on trends in mortgage loan fraud. (www.fincen.gov)
2. Egmont Group. Periodic reports generated by Egmont Group Financial Intelligence Units of 116 countries contain valuable information pertaining to laundering and terrorism financing in different jurisdictions. (www.egmontgroup.org)
3. Financial Action Task Force. Papers issued by the Financial Action Task Force provide valuable information about jurisdictions and typologies of money laundering, terrorist financing, and other criminal activities. (www.fatf-gafi.org)
These are but a few of the many publications freely available on the internet. While financial institutions are fairly effective in analyzing and learning from actual frauds or money laundering events by conducting “lessons learned” sessions, and enhancing systems and processes for future prevention, they sometimes ignore internally-generated or publicly available information about criminal trends that otherwise could support deterrence efforts
Building a genuine FIU
Many financial institutions deem their transaction monitoring unit to be their financial intelligence unit and leave it at that. While transaction monitoring plays an important role in generating information to be used by the FIU, and is critical for compliance with certain Bank Secrecy Act requirements, the FIU concept must also include gathering and using other information readily available.
Approaching the process step by step:
1. Define the Model
There is no “one fits all” model, but one common necessity is strong support for the FIU from business management. Its success depends on the involvement, cooperation, and commitment of all areas involved in the fight against money laundering, terrorist financing, and fraud. The FIU should have a written mission statement adopted by senior management to guarantee buy-in throughout the organization The FIU should have a designated FIU head responsible for defining and implementing the program full time. He or she would typically report to the Chief Compliance Officer or someone else of sufficient seniority, such as the General Counsel, Chief Risk Officer, or the head of Security and Investigations to lend the FIU the stature it needs to function. (The specifics would depend on bank size and staff structure, of course.)
2. Define Roles & Responsibilities
Once the FIU head has been designated, that staffer will identify and designate Financial Intelligence Officers (FIOs) in each one of the following business units:
• Sales and Marketing
• General Counsel
• Physical Security
• Fraud Management and Investigations
• Information Security
• Operational Risk Management
• Financial Control
These individuals will represent their disciplines in the FIU and report on a dotted-line basis to the FIU head. They will combine day-to-day responsibilities at their units with specific responsibilities assigned by the FIU head.
3. Identify High-Risk Scenarios
Using the existing regulatory, AML, and operational risk assessments, FIOs should identify high risks relating to money laundering, terrorism financing, and fraud that affect their areas of expertise. For each of those risks, the FIOs should establish a reporting procedure to capture relevant events that generate financial intelligence, as described above, thereby making maximum use of the information gathered.
4. Establish a Data Repository
A common data repository should be set up to capture the following information generated internally:
• Relevant events derived from the risk assessments
• AML investigations for high risks generated from the transaction monitoring process
• SAR information
• Currency Transaction Report (CTR) information
• Relevant fraud investigations, including those related to check , identity fraud, and ethical concerns
• Security threats, both e-crime related as well as physical, like bomb threats, etc.
Ideally, a designated officer reporting to the FIU head should work full time on establishing functional specifications for identifying an adequate technology platform, data capture specifications, data retrieving tools, and report design.
5. Define External Information Sources
The FIU head should identify the primary external information sources that the FIU will use. At a minimum, the FIU should use the previously mentioned FinCEN reports and other sources, including regulatory guidance, enforcement activities, and reports and guidance issued by private associations.
6. Define Data Repository Reports
The FIU and the FIOs should design the functional specifications for reports that will consolidate information from internal and external sources. These reports will be the main intelligence source for the FIU to identify recommendations for improvement in products and services.
7. Define Governance Protocols
Quarterly, the FIU head and the FIOs should review all recommendations for improvements to products and services derived from the analysis of the information contained in the data repository reports. Those recommendations should be escalated to senior management for implementation. The FIU and FIOs should monitor final implementation.
8. Measuring Success
The success of the FIU will be measured by the number of recommendations implemented to strengthen the products and service offerings. The recommendations coming from the FIU should be publicized broadly within the organization. BJ
The electronic version of this article available at: http://www.nxtbook.com/nxtbooks/sb/ababj1009/index.php?startid=50